Unlock account permissions
When I run the following script I get the error on the line UsrObj.SetInfo
General access denied error
Code: 80070005
Source: Active Directory
I have done all the proper MS Security setups.
The rights work fine from an ADUC with the Active Directory Users and Computers snap-in.
However, the Script only works if I set the user up as an Account Operator. I would prefer not to add non-IT users as Account Operators.
Thanks.
'-------------------------
' Usr_AccountUnlock.vbs
'
' Developer: Charles (charles@serverguys.com)
' Developed: 2000-08-01
' Modified: 2000-08-01
' Version: 1.0
'
' Description: Uses ADSI to unlock the given account
'-------------------------
'-------------------------
' *** Definitions ***
'-------------------------
dim acct
dim dom
dim UsrObj
'-------------------------
' *** Main Script ***
'-------------------------
' Display an inputbox requesting the account to unlock
acct = inputbox("Please enter the account name.", "Unlock Account")
' Display an inputbox requesting the domain name to look in
dom = inputbox("Please enter the domain name where this account resides.", "Unlock Account")
wscript.echo "Beginning unlock of account " & dom & "\" & acct
Set UsrObj = GetObject("WinNT://" & dom & "/" & acct)
If UsrObj.IsAccountLocked = TRUE Then
UsrObj.IsAccountLocked = FALSE
UsrObj.SetInfo
End If
wscript.echo "Completed unlock of account " & dom & "\" & acct
'-------------------------
' *** End Main ***
'-------------------------
General access denied error
Code: 80070005
Source: Active Directory
I have done all the proper MS Security setups.
The rights work fine from an ADUC with the Active Directory Users and Computers snap-in.
However, the Script only works if I set the user up as an Account Operator. I would prefer not to add non-IT users as Account Operators.
Thanks.
'-------------------------
' Usr_AccountUnlock.vbs
'
' Developer: Charles (charles@serverguys.com)
' Developed: 2000-08-01
' Modified: 2000-08-01
' Version: 1.0
'
' Description: Uses ADSI to unlock the given account
'-------------------------
'-------------------------
' *** Definitions ***
'-------------------------
dim acct
dim dom
dim UsrObj
'-------------------------
' *** Main Script ***
'-------------------------
' Display an inputbox requesting the account to unlock
acct = inputbox("Please enter the account name.", "Unlock Account")
' Display an inputbox requesting the domain name to look in
dom = inputbox("Please enter the domain name where this account resides.", "Unlock Account")
wscript.echo "Beginning unlock of account " & dom & "\" & acct
Set UsrObj = GetObject("WinNT://" & dom & "/" & acct)
If UsrObj.IsAccountLocked = TRUE Then
UsrObj.IsAccountLocked = FALSE
UsrObj.SetInfo
End If
wscript.echo "Completed unlock of account " & dom & "\" & acct
'-------------------------
' *** End Main ***
'-------------------------
SOLUTION
membership
This solution is only available to members.
To access this solution, you must be a member of Experts Exchange.
Are you wanting to allow a user to unlock their own account or something?
ASKER
We are a Manufacturing company that has recently started multiple shifts. We want Mfg Supervisors to be able to unlock their staff user accounts in the evening and night when the IT staff is not available.
Needs to be very simple and secure. We don't want to give these Night Shift Supers too much power even if they are not aware of it.
Needs to be very simple and secure. We don't want to give these Night Shift Supers too much power even if they are not aware of it.
You can do this by giving them delegated rights in Active Directory.
You will need to script it if all you want them to have rights to do is lock/unlock accounts.
See here:
http://www.microsoft.com/technet/scriptcenter/topics/security/propset.mspx
Domain Password and Lockout Policies
{ c7407360-20bf-11d0-a768-00
Property set containing all lockout and password age related attributes on user account. Applies to Domain and DomainDNS objects
You can simplify this if you allow them to reset passwords. Simply open ADUC, go to the OU you want to delegate rights to, right click "delegate", then put the users you want to have the permissions (like supervisors). Then choose the common "reset passwords, etc" (don't remember the exact wording).
That will allow them to unlock and reset passwords as needed.
They can then use either your unlock script or actually use a custom MMC that you can build for them that only shows that OU.
You will need to script it if all you want them to have rights to do is lock/unlock accounts.
See here:
http://www.microsoft.com/technet/scriptcenter/topics/security/propset.mspx
Domain Password and Lockout Policies
{ c7407360-20bf-11d0-a768-00
Property set containing all lockout and password age related attributes on user account. Applies to Domain and DomainDNS objects
You can simplify this if you allow them to reset passwords. Simply open ADUC, go to the OU you want to delegate rights to, right click "delegate", then put the users you want to have the permissions (like supervisors). Then choose the common "reset passwords, etc" (don't remember the exact wording).
That will allow them to unlock and reset passwords as needed.
They can then use either your unlock script or actually use a custom MMC that you can build for them that only shows that OU.
ASKER CERTIFIED SOLUTION
membership
This solution is only available to members.
To access this solution, you must be a member of Experts Exchange.
OK, I like oBdA's answer better...lol.
Sorry for my confusion...I was going off what another IT guy here said, and it made sense to me.
Sorry for my confusion...I was going off what another IT guy here said, and it made sense to me.
ASKER
The object of this was to allow any indidual belonging to our Unlock group to only have the rights to do that single action.
They only need to be a Domain User and do not need to be a member of the Account Operators group.
We did about 4 days of testing different was of resolving the problem.
Final soulution for the Unlock Account problem.
Step 1:
From MS Doc Q294952 we made a Unlock group with the appropriate rights.
Step 2:
This added the menu item Unlock account to a right-click on a user account object. It was a little confusing at first how to add the appropriate lines with ADSIedit, but once there it worked great.
http://www.petri.co.il/add_unlock_user_option_to_dsa.htm
We copied the VB scripts to a shared R/O area on one of our servers. And gave the rights to the UnlockUsers Group.
Step 3:
With this we created a blank custom taskpad.
http://www.petri.co.il/create_taskpads_for_ad_operations.htm
Step 4:
We created an AD query that gave us a list of all users in our domain regardless of what OU they were in.
Final result is a Taskpad that has:
Left side a unlockuser.vbs script
Right side of the panel is a complete listing of all users.
Highlight the user. Click on the VBS script and the user is unlocked.
They only need to be a Domain User and do not need to be a member of the Account Operators group.
We did about 4 days of testing different was of resolving the problem.
Final soulution for the Unlock Account problem.
Step 1:
From MS Doc Q294952 we made a Unlock group with the appropriate rights.
Step 2:
This added the menu item Unlock account to a right-click on a user account object. It was a little confusing at first how to add the appropriate lines with ADSIedit, but once there it worked great.
http://www.petri.co.il/add_unlock_user_option_to_dsa.htm
We copied the VB scripts to a shared R/O area on one of our servers. And gave the rights to the UnlockUsers Group.
Step 3:
With this we created a blank custom taskpad.
http://www.petri.co.il/create_taskpads_for_ad_operations.htm
Step 4:
We created an AD query that gave us a list of all users in our domain regardless of what OU they were in.
Final result is a Taskpad that has:
Left side a unlockuser.vbs script
Right side of the panel is a complete listing of all users.
Highlight the user. Click on the VBS script and the user is unlocked.
ASKER
We will check into the Run As.
We are also trying other options.